From 5c6964439ee6944d5c67aecf3ab07b716dbaa55e Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Wed, 15 Apr 2026 17:11:39 -0700
Subject: [PATCH] fix(security): unbounded `limit` parameter in user search can
 be

The `index(string $filter = '', int $limit = 5)` method accepts client-controlled `limit` and passes it directly to collaborator search. Without an upper bound, an attacker can request very large limits, causing expensive directory lookups and increased response size.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 lib/Controller/UserApiController.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/Controller/UserApiController.php b/lib/Controller/UserApiController.php
index 948111f6bf2..7bb726a23f6 100644
--- a/lib/Controller/UserApiController.php
+++ b/lib/Controller/UserApiController.php
@@ -55,6 +55,7 @@ public function index(string $filter = '', int $limit = 5): DataResponse {
 
 		if (!$this->getSession()->isGuest()) {
 			// Add other users to the autocomplete list
+			$limit = min($limit, 50);
 			[$result] = $this->collaboratorSearch->search($filter, [IShare::TYPE_USER], false, $limit, 0);
 			$userSearch = array_merge($result['users'], $result['exact']['users']);